Tag: Malware and Virus Protection

Ransomware Continues To Evolve On Android Devices

Hackers around the world are continuing to innovate at a terrifying, relentless pace, and that truth is reflected in the latest form of ransomware to be found in the wild.

Dubbed “DoubleLocker,” this new strain targets Android devices. It uses and abuses the platform’s Accessibility Service, reactivating itself every time the user presses the phone’s “Home” button.

Initial forensic analysis of the code base reveals this new threat to be based on Svpeng, which is a nasty form of malware that has a rather infamous reputation among Android users. It is one of the best-known banking trojans on the platform, used to steal money from people’s bank accounts, change PINs, brick devices and demand ransoms to return them to operability.

Although DoubleLocker does not contain Svpeng’s banking hack features, it is a very advanced, highly sophisticated piece of code.

As with so many other malicious programs, it gains an initial foothold on the user’s machine by disguising itself as some other, perfectly legitimate program (most often, Flash Player). Once installed, if the user grants the app access, Android’s Accessibility service allows the app to mimic user screen taps and swipes, allowing it to navigate around on the user’s phone.

It immediately locks the user’s PIN with a ransom PIN code and encrypts all files on the device.

This is the most significant development, because previous to finding DoubleLocker in the wild, most other Android ransomware worked by simply locking the user’s phone. This one takes cues from PC-based ransomware and takes the added step of encrypting the files themselves.

Another intriguing difference is that while most ransomware is configured to send the user an unlock code once the ransom is paid, no such code is sent to a user infected by DoubleLocker. Instead, the hackers unlock the phone remotely, upon receiving payment.

For users impacted by DoubleLocker, the following advice has been offered by ESET:

“The only viable option to clean the device of the DoubleLocker ransomware is via a factory reset.

For rooted devices, however, there is a method to get past the PIN lock without a factory reset. For the method to work the device needed to be in the debugging mode before the ransomware got activated.

If this condition is met, then the user can connect to the device by ADB and remove the system file where the PIN is stored by Android. This operation unlocks the screen so that the user can access their device. Then, working in safe mode, the user can deactivate device admin rights for the malware and uninstall it. In some cases, a reboot is needed. As for data stored on the device, there is no way to recover it, as mentioned earlier.”

Ransomware Attackers Are Increasing Their Attacks On Businesses

The ransomware ecosystem is maturing. Strains are divided into “families” and the number of new families that have been discovered in 2017 is half what it was in 2016. Even so, the total number of attacks targeting businesses have risen by 26 percent over last year’s totals, according to the latest statistics released by Kaspersky Lab.

Rather than inventing wholly new software strains, hackers around the world seem content to modify existing strains, with the number of modifications growing from 54,000 to an astonishing 96,000 this year.

The modifications are having impacts that extend far beyond simply allowing them to slip past a company’s defenses. Last year, 29 percent of companies impacted by a ransomware attack claimed that the incident took a week or longer to recover from. This year, that percentage rose to 34 percent.

According to one of Kaspersky’s senior malware analysts, Fedor Sinitsyn, “The headline attacks of 2017 are an extreme example of growing criminal interest in corporate target. We spotted this trend in 2016, it has accelerated throughout 2017, and shows no signs of slowing down.

Business victims are remarkably vulnerable, can be charged a higher ransom than individuals and are often willing to pay up in order to keep the business operational. New business-focused infection vectors, such as through remote desktop systems, are not surprisingly on the rise.”

In addition to the total number of such attacks increasing, we’ve seen several large-scale attacks this year, and there’s no reason to believe that we won’t see more of that in the months and years ahead.

This represents a fundamental shift in strategy as compared to years past and is a clear indication that hacking groups around the world are increasingly coordinating their efforts and learning from one another. That’s bad news for IT security professionals everywhere.

Some Computer Manufacturers Are Disabling Intel Chip Firmware

Intel is catching some flak for releasing CPU technology that’s filled with security flaws. At issue is Intel’s Management Engine (ME), which is designed for Enterprise use and is of no real value on equipment designed for personal or home use.

Although many popular PC and laptop manufacturers, including Acer, Panasonic, Lenovo, Fujitsu, HP and others are selling equipment with Intel ME enabled, so far, three hardware vendors have opted to disable the firmware.

These three vendors are Dell, System76 and a company called Purism. Of particular interest is the fact that Purism opted to disable the Management Engine almost a full month before Intel released any information about the security flaws in their technology. Apparently, someone else found a way to disable Intel ME, and the company decided to use it as a means of improving the privacy protections of its customers.

According to a recent blog post published by Purism:

“Disabling the Management Engine is no easy task, and it has taken security researchers years to find a way to properly and verifiably disable it. The Librem 13 and Librem 15 products can be purchased today and will arrive with the Management Engine disabled by default.”

The equipment manufacturers who are selling their wares with the Intel Management Engine enabled have all promised to patch the security flaws in a future update, but as of right now, none of those manufacturers have provided an ETA for when that might be.

In the meantime, if you’re looking to upgrade your equipment and you don’t want to expose yourself or your organization to unnecessary risk, buying from any of the three vendors mentioned above, Dell, System76 or Purism, is a smart choice. It gives your network security team one less thing to worry about, and that’s always a good thing.

Some Websites Can Force Your Computer To Mine Cryptocurrency

Researchers at Malwarebytes have discovered a new exploit that allows malicious website owners to use your PC to mine various forms of cryptocurrency, even if you exit the browser window the malicious site was displayed on.

The exploit relies on a smart pop-under trick. Code on the website determines your monitor’s resolution and places a ghost browser session sitting behind the clock on the MS Windows task bar, where it continues to mine cryptocurrency, utilizing a portion of your CPU’s power and resources.

The impact on your system’s performance is nominal, so only the most observant users will notice anything amiss.

According to Malwarebytes researcher Jerome Segura, “This type of pop-under is designed to bypass adblockers and is a lot harder to identify because of how cleverly it hides itself. Closing the browser using the “X” is no longer sufficient. The more technical users will want to run Task Manager to ensure there is no remnant running browser processes and terminate them. Alternatively, the taskbar will show the browser’s icon with slight highlighting, indicating that it is still running.”

It’s worth noting that there are a couple of other ways you can determine whether some portion of your system’s resources are being coopted in this manner. Restarting your system will certainly do the trick, and if you have your taskbar set to transparent, you’ll be able to see the pop-under quite clearly. Also, resizing or relocating the task bar will reveal the hidden browser window.

This is but the latest chapter in the ongoing battle between hackers and unscrupulous website owners and the makers of adblocking and other types of security software. In time, ad blocking software will be modified to catch this type of exploit, and in response, the owners of malicious websites will change their approach and find a new way to get around various detection schemes. As ever, while software can certainly help, vigilance remains the best defense.

Watch Out For New Facebook “Trusted Friend” Scam

If you can’t trust your friends, who can you trust?

No one, apparently.

There’s a new scam on Facebook that’s making waves, and it’s one you should be mindful of. You may get an “urgent message” from someone you know, asking for your help in recovering their Facebook account.

This is a tried and true phishing scam, relying on some basic psychology. After all, if you get an earnest sounding message from someone you know explaining that you’re listed as one of their “Trusted Friends” and as such, uniquely positioned to help verify their identity so they can get access to their account back, who wouldn’t instinctively respond? This is exactly what the scammers are hoping for.

The message goes on to explain that they’re sending an unlock code to your email address, and they just want you to reset the password for them.

Unfortunately, the unlock code is nothing of the sort. Instead, it triggers a password reset for your own account. If you click the link and “reset your friend’s password,” then reply back, helpfully telling him or her what the new password is, you’ve inadvertently given your own login information to the hackers. From there, the sky’s the limit.

What makes this latest scam particularly problematic is that so many other web properties allow you to use your Facebook login details to access them, which is a roundabout way of saying that you’re using the same login credentials across multiple websites – one of the most basic and pervasive problems of user security in existence.

There’s no real defense for this other than vigilance, and if you see a message like this, simply ignore it. If your “trusted friend” genuinely needs help regaining control of their account, Facebook has resources to assist.

New “MailSploit” Allows Email Spoofing

Phishing attacks just got a whole lot easier.

A German security researcher named Sabri Haddouche has recently discovered a set of email vulnerabilities that have been collectively dubbed “Mailsploit.”  At the root, these vulnerabilities stem from the way most email systems interpret addresses encoded with a 1992 standard called RFC-1342.

The standard is that all information in an email header must be an ASCII character. If a non-ASCII character is encountered, it gets converted. Unfortunately, a shockingly large number of email clients (33 and counting) make no effort to check the header afterward for malicious code.

Also, if the RFC-1342 decoded header encountered a null-byte, or two or more email addresses, the only address that would be read would be the one that preceded the null-byte, or the first valid email address encountered.

The email clients vulnerable to this type of attack include:

  • Apple Mail
  • Mail for Windows 10
  • Microsoft Outlook 2016
  • Mozilla Thunderbird
  • Yahoo! Mail
  • AOL Mail

And many others, but Haddouche notes that Gmail is unaffected by the exploit.

There are two ways a hacker can use Mailsploit. First and most obvious to the eye is the fact that it can be used to spoof an email address, making it appear to be from someone you know, which, of course, has the impact of making it much more likely that you’ll click on any links embedded in the body of the message.

Secondly, and potentially even more troubling, is the fact that the exploit can be used to inject malicious code directly onto the recipient’s machine, which can easily give the hacker sending the email full control of the target’s system.

Worst of all, though, is the fact that while Haddouche contacted all of the companies found to offer vulnerable email clients, only eight of them have released a patch to correct the issue. Twelve vendors opted to triage the bug, but gave no information on if or when the issue might be patched, and twelve others made no reply at all.

Mozilla and Opera (both vulnerable) flatly refused to address the problem, which they see as a server-side issue.

Your IT staff’s job just got a whole lot harder.

Be Careful Of Downloads – Google Play Store Sees Malware Increase

Google’s Play Store is under siege. In recent month, there has been a sharp spike in malware campaigns launched against the store, with a shocking number of poisoned apps slipping past Google’s robust system of checks designed to prevent, or at least minimize such occurrences.

The spike in poisoned apps has been reported by three different security companies: Dr. Web, McAfee and Malwarebytes.

According to the latest McAfee report, 144 Play Store apps have been identified as containing malware. To give you a sense of the scope and scale of the attack, McAfee analyzed a sample of 34 of the malicious apps and found that they had been downloaded between 4.2 million and 17.4 million times.

Of the malware strains found to be present on the Play Store, far and away the most common is Grabos, which is designed to push fake notifications that trick unsuspecting users into installing other apps. Based on the observed behavior, it’s likely that Grabos’ authors generate revenue based on the number of installs achieved. Based on the sheer number of downloads, it’s a model that’s paying handsome dividends for the hackers.

The second most common malware strain identified in the McAfee report is AsiaHitGroup, which utilizes an IP blacklist to specifically target users in Asian countries. This malware was initially found in an app named “QR Code Generator,” and once it infects a user’s machine, it will download a second-stage threat in the form of an SMS Trojan, which auto-subscribes infected users to premium phone numbers using SMS text messages.

Since its initial discovery in QR Code Generator, the AsiaHitGroup malware has been found in a variety of other apps, including alarm clock, photo editor and internet speed test apps.

The security firm Dr. Web found a third distinct malware strain called Android.RemoteCode.106.origin, which was found to be embedded on nine different Play Store apps that had been downloaded between 2.37 million and 11.7 million times.

This campaign opens an “invisible” browser page that shows ads and is the least intrusive of the malware strains found. It’s likely that the hackers controlling this one get paid via ad impressions which are spoofed on the invisible browser window.

In addition to these, ESET has identified a fourth threat, having identified eight different apps that are infected with the MazerBot banking Trojan. This one is potentially the most damaging of the recently identified threats.

Google’s Play Store is clearly a fair bit more dangerous currently than its users are accustomed to. Be very careful when downloading apps until Google can beat back these recent attacks.

Files Containing Nearly 1.5 Billion Passwords Leaked On The Internet

Researchers from the security firm 4iQ have made a disturbing discovery on the dark web. A massive repository has been discovered that contains a staggering 1.4 billion usernames and passwords in plain text.

The repository is well organized, with each letter of the alphabet having its own directory to facilitate rapid search, and 4iQ has tested a subset of the data it contains and found an alarming percentage of the usernames and passwords to be viable.

It should be noted that this data isn’t from a new, previously unknown breach, but rather, an aggregation of data stolen from 252 previous breaches. The CTO of 4iQ, Julio Casal, had this to say about the discovery:

“None of the passwords are encrypted, and what’s scary is that we’ve tested a subset of these passwords and most of them have been verified to be true. The breach is almost two times larger than the previous largest credential exposure, the Exploit.in combo lists that exposed 797 million records. This new breach adds 385 million new credential pairs, 318 million unique users, and 147 million passwords pertaining to those previous dumps.”

The usernames and passwords come from a wide range of sources including Runescape, Minecraft, RedBox, Badoo, Zoosh, Last.FM, YouPorn, Netflix, MySpace, LinkedIn, Pastebin, Bitcoin and many others.

What’s even worse is that as large as this collection is, it’s really just the tip of the spear. A shocking percentage of users have the bad habit of using the same credentials across multiple web properties, so it’s a statistical certainty that many of the passwords contained in this file will allow hackers access to much more than just the web properties the passwords were stolen from.

If you’re not yet in the habit of changing your passwords on a regular basis, you should begin doing so immediately, and if you’re one of the hundreds of millions of people who use the same password on multiple sites, it’s well past time to break that habit.

Report Shows Small Percentage Of Employees Know About Ransomware

The statistics are alarming. Ransomware is fast becoming the favored hobby horse of hackers worldwide. Barely a week goes by that a new strain isn’t introduced into the wild, with expensive, and often tragic consequences. Right now, the average amount paid by office workers impacted by a ransomware attack is $1400, a figure that continues to creep higher.

What’s perhaps even more alarming, however, is the fact that although companies the world over have made a concerted effort to sound the alarm on the danger this type of software represents, no more than 30 percent of knowledge workers have any real understanding of the dangers that ransomware poses, according to Intermedia’s 2017 Data Vulnerability Report.

One of the most curious findings of the report was the fact that employees more often shoulder the costs of ransomware payments than employers do, with fully 59 percent of impacted employees paying the ransom out of their own pockets.

Unfortunately, small and medium-sized businesses are particularly vulnerable to this large and growing threat. Jonathan Levine, Intermedia’s CTO, had this to say on the topic:

“As ransomware continues to evolve and become more advanced, organizations of all sizes and types must acknowledge it as a very real threat. This is especially true for SMBs that may not have the resources, tools or training that larger organizations use to recognize, prevent and protect themselves from such attacks. Ransomware can infiltrate and shut down an entire business through just one infected computer. More often than not, SMBs feel they are forced to pay a ransom they can’t, but must afford, and hackers realize this.”

Perhaps worst and most distressing of all is the fact that 19 percent of the time, even when a ransom is paid, the files are never unlocked, making it a bad gamble. If you run a company of any size, make sure your employees from top to bottom fully appreciate the threat this attack vector poses.

Malware Infections Grow 4X In Just One Quarter

The world’s hackers have been busy according to the latest report by Comodo security, which tracks the total number of threats around the globe, quarter by quarter. The latest statistics are alarming, showing a massive jump in the total number of malware infections reported in the third quarter of 2017. Reports show nearly 400 million infections.

What’s worse is that the infections have spread to literally every corner of the globe. No nation is completely safe.

Digging more deeply into the statistics offered by Comodo, we find that the top five countries for malware infections this quarter were:

  • Russia
  • The United States
  • Poland
  • The United Kingdom
  • And Germany

These five nations combined accounted for fully 80 percent of the total number of infections reported.

Breaking the infections down by type, we find the following as the top 5:

  • Trojans (13.7 million)
  • Viruses (5.4 million)
  • Worms (2.8 million)
  • Backdoors (553,000)
  • And Packed Malware (284,000)

Diving even more deeply into the statistics yields more good information, including the fact that poorer nations tend to be afflicted more often by viruses and worms as these nations tend to use older, unpatched or unlicensed software. These types of infections tend to run rampant in Southeast Asia, Southeastern Europe, Africa and South America.

The report also details that the number of large-scale email phishing attacks is on the rise, due in no small part to the recent popularity of Locky and other strains of ransomware, with the largest phishing attack having been conducted from August to September 2017. According to the report:

“This attack was unique in its combination of sophistication and size, backed by a botnet spread across more than 11,000 IP addresses in 133 countries in just the first stage of the attack. Also, the malware was designed to avoid detection by sandboxing and artificial intelligence technologies common in many endpoint protection systems.”

All in all, it’s a fascinating, though disturbing read, and points to the rapidly increasing sophistication of the world’s hackers that will no doubt continue to spell trouble for security professionals around the globe.